CVE-2015-3185

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. Publish Date : 2015-07-20 Last Update Date : 2015-07-21

- CVSS Scores & Vulnerability Types

CVSS Score

4.3

Confidentiality Impact

None(There is no impact to the confidentiality of the system.)

Integrity Impact

Partial(Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)

Availability Impact

None(There is no impact to the availability of the system.)

Access Complexity

Medium(The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)

Authentication

Not required(Authentication is not required to exploit the vulnerability.)